A firewall in its simplest form is a boundary guard between two networks, usually an internal private network and the Internet. The main purpose of a firewall is to guard a trusted network from mistrusted parties on the outside that could access or tamper with internal information and resources. Firewalls can be implemented as either hardware and software, or a combination of both. Firewalls are not just filters, but also gateways and chokepoints.

A firewall should provide the following key features and characteristics.

Monitor all incoming and outgoing traffic: All traffic from inside the network to the outside, and vice versa, should pass through the firewall. This can be achieved by logically blocking all access to the local network except via the firewall.

Source or destination based blocking: Blocking unwanted incoming traffic from a specific source or to a specific destination is provided by a firewall. An example would be the blocking of all incoming port 80 requests to all servers except the web server.

Outgoing network traffic blocking: A firewall should provide mechanisms for the system administrator to block all outgoing requests to websites which are considered harmful based on the company’s security policy. A firewall can contain the risk of phishing through network traffic blocking.

Content filtering: Network traffic content analysis can help scan for virus signatures and other common threats.

Support for Virtual Private Network (VPN) connections: VPNs allows secure connections from the Internet to a corporate network. Firewalls can be used to establish a site to site and remote access VPNs to securely connect the various sites and users to the organization.

Immunity to penetration: The firewall itself is impervious and stable. This implies the use of a trusted and secure operating system.

Firewall classification

Firewalls can be broadly classified into different types based on factors such as:

The type of protection offered

Host-based firewalls (personal firewalls)

Network-based firewalls (enterprise firewalls)

Implementation

Hardware firewalls

Software firewalls

Protection methodology

Packet filter

Stateful packet inspection

Connection filter

Application proxy filter

Classification based on type of protection offered:

The kind of firewall installed for a large organization is different than one installed on a user’s desktop.

Host-based firewall: A personal firewall is most often a software application installed on a single host and protects just that computer. However, host-based firewalls can also be implemented as separate hardware components, or they are built into other network devices. A host-based firewall does not provide extensive reporting and management features.

Network firewall: Network firewalls have the capacity to screen network traffic for a number of computers. They provide extensive reporting and management features and even allow the configuration of multiple firewalls in a single step.

Classification based on implementation

Hardware firewalls: An integrated appliance which has firewall software pre-installed on a device with its own operating system is called a hardware firewall. Hardware firewalls can be implemented as dedicated personal computers with hard disks or as solid state application-specific integrated circuit (ASIC) devices. ASIC firewalls are generally faster performers. Hard disks, on the other hand, can be a potential single point of failure.

Software firewalls: Firewall applications that can be installed on the user’s operating system are called software firewalls. Software firewalls can be implementing either as a packet filter or a process filter. Process filters can be easily tricked into allowing malicious code to access the network.

Classification based on technical methodology

Static packet filter: The static packet filter checks the source and destination IP addresses in the network header and the source and destination port numbers in the transport header in addition to determining the protocol of the data packet. This information is used by the static packet filter to determine whether to permit the corresponding data packet, or to discard it at the point of entry as per the firewall’s rules into the network. The filtering unit denies all packets that are explicitly denied by the set of rules, allows all packets that are explicitly allowed by the set of rules and drops all other unknown packets. Traditionally, static packet filters are stateless – they do not keep track of connection sessions. This implies that networks protected are still susceptible to ping floods and Denial of Service (DoS) attacks.

Stateful packet inspection: The packet filter examines the network and transport headers for similar information as the static packet filter. In addition, it provides state awareness by maintaining a table of connection streams. This table is called the “Connection Bypass table”. All data packets, which have the same monitored network and transport headers, form a unique connection stream. Each packet that arrives is associated with a connection stream. If the data packet is associated with a connection stream already in the table, it is allowed without any further verification. However, if the packet arrives on an unknown connection stream, it is first verified as per the firewall rules and permitted only after it passes the inspection. This means that the packet filter is aware of the difference between a new and an established connection.

Connection filter: The connection filter maintains a Connection Verification table which maintains the TCP flag sequences. The connection filter verifies that the TCP handshaking process is valid by examining the state of the flags.

Application proxy filter: The application proxy examines the network header for the source and destination IP address, the transport header for the source and destination port numbers and the header of an application protocol like HTTP, Telnet, etc. This type of firewall actually reconstructs the packet inside the host, thereby protecting it from covert attacks. But such reconstruction at the application layer has a performance penalty and increases the latency of the application.

Provides an intuitive working user interface to ensure that staff can be trained in operating the system

Supports application level backups using the vendor provided tools that can be scheduled on a regular basis

Performance and capacity requirements

Supports the peak traffic/number of simultaneous connections/connection rate that is expected.

Supports any load from the variously defined user communities

Supports communications from multiple time zones

Synchronizes with the approved trusted time source

Availability requirements

Provides 99.999% availability

Utilizes local and global replication features to support performance, failover and high availability

Reliability requirements

Meets any applicable service continuity requirements

Detects and notifies when event data is corrupted

Fails elegantly without taking any other infrastructure component or node down with it

Provides disaster recovery and failover options

Monitoring and notifications requirements

Can be monitored using the approved system management capability

Aligns with the security and network management program

IPS (Purpose / Definition)

Intrusion Prevention System (IPS) is a software that has all the capabilities of an Intrusion Detection System (IDS) and can also attempt to stop possible incidents as per the actions configured. IPS extends the function of Intrusion Detection System (IDS) by detecting potential threats and invoking actions to mitigate the risk. IPS are always designed to be inline (i.e. traffic would pass directly via IPS and thus, if the IPS is down the traffic would be dropped), whereas IDS being a passive device is deployed in promiscuous mode allowing the traffic to pass.

There are many types of IPS technologies, which are differentiated primarily by the kinds of events that these devices can identify and the methodologies that they use to identify incidents. In addition to monitoring and analyzing the events to recognize unwanted activity, all types of IPS technologies typically perform the following:

Tracking and recording information associated to the observed events – Information is generally recorded locally, and may also be sent to a separate system such as security information and event management (SIEM) system, centralized logging servers, and other enterprise management systems.

Alerting and notifying security administrators of significant observed events – These notifications, also called as an alert across products, can be configured through any of several methods, including but not restricted to the following: SMS messages, syslog messages, e-mails, messages on the IDS user interface, SNMP (Simple Network Management Protocol) traps, and user defined programs and scripts. A notification message characteristically includes only elementary information concerning an event; administrators need to access the IDPS for additional information.

Producing reports – Reports review and summarizes the monitored events or make available details on particular events of interest.

Some IPSs are also able to change their security profile when a new threat is detected. For example, an IDPS might be able to collect more detailed information for a particular session after a malicious activity is detected within that session. An IPS might also alter the settings for when certain alerts are triggered or what priority should be assigned to following alerts afterward a specific threat is detected.

IPS technologies are differentiated from IDS technologies primarily by one major characteristic: IPS can respond (or take an action) to a detected threat by making an attempt to prevent it from succeeding. They utilize numerous response practices, which can be segregated into the following groups:

The IPS stops the attack itself – Illustrations of in what way this could be done are as follows:

Terminate the active network connection or user session which is being used for the attack real-time

Block the corresponding access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attributes

Block all access to the targeted host, service, application, or another resource.

The IPS can modify the security environment – The IPS could alter the configuration of other security controls and measures to disrupt an attack. Such as reconfiguring a network device (e.g., firewall, router, switch etc.) to block access, and changing a host-based firewall configuration on a target to block incoming attacks.

The IPS might change the attack payload’s content – For example, some IPS technologies can remove or replace malicious portions of an attack to make it benign, as in an IPS removing an infected file attachment from an e-mail and then authorizing the cleaned email to reach its matching recipient. At times an IPS that acts as a proxy and normalizes incoming requests, which signifies that the proxy re-packages the payloads of the corresponding requests, discarding header information. This causes certain attacks to be thrown out as a part of the normalization process.

Key IPS Requirements Include:

Operations requirements

Supports processes and features for labeling custom checks, attack vectors, or other controlled events (e.g. through a vulnerability description language)

Provides the capability of declining updates (or rolling the system back to its previous state)

Supports false negative notification (e.g. notifying the IDS operator to the fact that the system cannot handle an intense workload and is starting to miss events)

Processes fragmented packets

Supports additional customization of each signature according to specific user requirements (e.g. to reduce false positives)

Notifies personnel when the IDS detects an attack, misuse, or another anomaly including sending a notification to the central console of the system, registering events in the event database, Syslog server, etc.

Logs the type of event, date and time of detection, the sensor that detected that specific event, the source and destination addresses related to the event are registered, and detailed content of all data fields related to the event

Provides an event tracing mechanism that allows you to record all events in exactly the identical sequence and at precisely the same speed at which the hacker or intruder was operating

Supports remote management of an unlimited number of sensors

Supports a hierarchical management, allowing the system to switch between two consoles automatically, without user intervention

Provides the ability to specify priorities for detected attacks and vulnerabilities both statically and dynamically

Provides a comprehensive report generating mechanism (e.g. reports at various levels of detail, information on the identified attack along with the operating systems and applications vulnerable to it, cases of false positives, methods of elimination, etc.)

Provides an intuitive working user interface to ensure that staff can be trained in operating the system

Supports application level backups using the vendor provided tools that can be scheduled on a regular basis

Performance and capacity requirements

Supports the peak number of simultaneous connections/traffic volume/connection rate that is expected. Note the number of packets that this node needs to handle should be computed at the protocol level and not at the business function or user activity level

Supports any load from the variously defined user communities

Supports communications from multiple time zones

Synchronizes with the approved trusted time source

Availability requirements

Provides 99.999% availability

Utilizes local and global replication features to support performance, failover and high availability

Reliability requirements

Meets any applicable service continuity requirements

Detects and notifies when event data is corrupted

Fails elegantly without taking any other infrastructure component or node down with it

Maintainability requirements

Provides updates to the signature database

Uses industry standard repositories to store output data that support local and geographic failover

Monitoring and notifications requirements

Can be monitored using the approved system management capability

Aligns with the security and network management program

Conclusion

From a CISSP perspective, perimeter defense techniques are a crucial element (from a technical standpoint) and the technologies such as IPS and Firewalls are the most sensitive areas which are assessed in depth. Following this article readers should be able to answer the following questions:

Why are such technologies used?

What are the capabilities provided by these technologies?

How is it different than each other with adequate relevance to different environments?

Job Titles

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam